anil.recoil.org / zulip-netdata-bot
this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat: add automated SSL certificate management with Let's Encrypt

- Implement CertificateManager class with ACME client integration
- Add automatic certificate obtaining and renewal functionality
- Support ACME HTTP-01 challenge for domain validation
- Include comprehensive certificate lifecycle management
- Update server configuration to support auto-cert mode
- Replace certbot dependency with direct ACME/josepy libraries
- Add comprehensive tests for certificate management
- Update documentation with automated SSL setup instructions
- Configure gitignore for certificate storage directories

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Anil Madhavapeddy bc11f495 7cabd8ef

+614 -108
+2
.gitignore
··· 204 204 205 205 thicket.yaml 206 206 bot-config/zuliprc 207 + certs 208 + .zuliprc
-5
.zuliprc.sample
··· 1 - [api] 2 - site=https://yourorg.zulipchat.com 3 - email=netdata-bot@yourorg.zulipchat.com 4 - key=your-api-key-here 5 - stream=netdata-alerts
+44 -17
README.md
··· 6 6 7 7 ## Features 8 8 9 - - 🔐 **HTTPS with Let's Encrypt**: Automatic SSL certificate management 9 + - 🔐 **Automated SSL Certificates**: Built-in Let's Encrypt integration with automatic renewal 10 10 - 🤝 **Mutual TLS**: Secure authentication with Netdata Cloud 11 11 - 📊 **Rich Formatting**: Beautiful Zulip messages with emojis and markdown 12 12 - 🏷️ **Topic Organization**: Automatic topic routing by severity level 13 13 - 📝 **Structured Logging**: JSON-structured logs for monitoring 14 14 - ⚡ **High Performance**: FastAPI-based webhook endpoint 15 + - 🚀 **Standalone**: No external dependencies like certbot required 15 16 16 17 ## Quick Start 17 18 ··· 53 54 export SERVER_DOMAIN=your-webhook-domain.com 54 55 export SERVER_PORT=8443 55 56 export SERVER_ENABLE_MTLS=true 56 - ``` 57 57 58 - ### 5. Setup SSL Certificate 59 - 60 - ```bash 61 - # Install certbot and obtain certificate 62 - sudo certbot certonly --standalone -d your-webhook-domain.com 63 - 64 - # Ensure certificate files are accessible 65 - sudo chown -R $USER:$USER /etc/letsencrypt/live/your-webhook-domain.com/ 58 + # For automated SSL certificates (recommended) 59 + export SERVER_AUTO_CERT=true 60 + export SERVER_CERT_EMAIL=admin@example.com 61 + # Use staging for testing (optional) 62 + export SERVER_CERT_STAGING=false 66 63 ``` 67 64 68 - ### 6. Run the Service 65 + ### 5. Run the Service 69 66 70 67 ```bash 68 + # With automated SSL certificates 71 69 netdata-zulip-bot 70 + 71 + # The bot will automatically: 72 + # 1. Obtain SSL certificates from Let's Encrypt 73 + # 2. Start the HTTPS server 74 + # 3. Renew certificates before expiration 72 75 ``` 73 76 74 77 ## Configuration ··· 104 107 105 108 Set these environment variables: 106 109 107 - - `SERVER_DOMAIN`: Your public domain (required for Let's Encrypt) 110 + - `SERVER_DOMAIN`: Your public domain (required) 108 111 - `SERVER_HOST`: Bind address (default: `0.0.0.0`) 109 112 - `SERVER_PORT`: HTTPS port (default: `8443`) 110 - - `SERVER_CERT_PATH`: Certificate path (default: `/etc/letsencrypt/live`) 111 113 - `SERVER_ENABLE_MTLS`: Enable mutual TLS (default: `true`) 112 114 115 + #### Automated SSL Configuration (Recommended) 116 + 117 + - `SERVER_AUTO_CERT`: Enable automatic certificate management (default: `false`) 118 + - `SERVER_CERT_EMAIL`: Email for Let's Encrypt account (required when auto_cert is true) 119 + - `SERVER_CERT_PATH`: Directory for storing certificates (default: `./certs`) 120 + - `SERVER_CERT_STAGING`: Use Let's Encrypt staging server for testing (default: `false`) 121 + - `SERVER_ACME_PORT`: Port for ACME HTTP-01 challenge (default: `80`) 122 + 123 + #### Manual SSL Configuration 124 + 125 + If not using automated certificates: 126 + - `SERVER_CERT_PATH`: Path to certificate directory 127 + - Place `fullchain.pem` and `privkey.pem` in `{SERVER_CERT_PATH}/{SERVER_DOMAIN}/` 128 + 113 129 ## Message Format 114 130 115 131 ### Alert Notifications ··· 197 213 198 214 ## Security 199 215 216 + ### SSL Certificate Management 217 + 218 + The bot includes fully automated SSL certificate management: 219 + 220 + 1. **Automatic Provisioning**: Obtains certificates from Let's Encrypt on first run 221 + 2. **Automatic Renewal**: Checks daily and renews certificates 30 days before expiration 222 + 3. **Zero Downtime**: Certificate renewal happens in the background 223 + 4. **ACME HTTP-01 Challenge**: Built-in challenge server (requires port 80 access) 224 + 200 225 ### Mutual TLS Authentication 201 226 202 227 The service supports mutual TLS to authenticate Netdata Cloud webhooks: 203 228 204 - 1. **Server Certificate**: Automatically managed by Let's Encrypt 229 + 1. **Server Certificate**: Automatically managed via built-in ACME client 205 230 2. **Client Verification**: Validates Netdata's client certificate 206 231 3. **CA Certificate**: Built-in Netdata CA certificate for client validation 207 232 ··· 269 294 270 295 ### Common Issues 271 296 272 - 1. **Certificate Not Found** 273 - - Ensure Let's Encrypt certificates exist at `/etc/letsencrypt/live/your-domain.com/` 274 - - Check file permissions 297 + 1. **Certificate Issues** 298 + - For automated certs: Ensure port 80 is accessible for ACME challenges 299 + - Domain must point to your server's IP address 300 + - Check `SERVER_CERT_EMAIL` is set for auto-cert mode 301 + - Use `SERVER_CERT_STAGING=true` for testing to avoid rate limits 275 302 276 303 2. **Zulip Connection Failed** 277 304 - Verify API credentials in zuliprc
+355
netdata_zulip_bot/cert_manager.py
··· 1 + """Automated SSL certificate management using ACME protocol.""" 2 + 3 + import asyncio 4 + import json 5 + import os 6 + import socket 7 + import threading 8 + import time 9 + from datetime import datetime, timezone 10 + from pathlib import Path 11 + from typing import Optional, Tuple 12 + 13 + import structlog 14 + from acme import challenges, client, errors, messages 15 + from cryptography import x509 16 + from cryptography.hazmat.backends import default_backend 17 + from cryptography.hazmat.primitives import hashes, serialization 18 + from cryptography.hazmat.primitives.asymmetric import rsa 19 + from cryptography.x509.oid import NameOID 20 + from fastapi import FastAPI 21 + from fastapi.responses import PlainTextResponse 22 + import uvicorn 23 + import josepy as jose 24 + 25 + logger = structlog.get_logger() 26 + 27 + LETSENCRYPT_DIRECTORY_URL = "https://acme-v02.api.letsencrypt.org/directory" 28 + LETSENCRYPT_STAGING_URL = "https://acme-staging-v02.api.letsencrypt.org/directory" 29 + 30 + 31 + class CertificateManager: 32 + """Manages SSL certificates using ACME protocol.""" 33 + 34 + def __init__( 35 + self, 36 + domain: str, 37 + email: str, 38 + cert_dir: Path, 39 + staging: bool = False, 40 + port: int = 80 41 + ): 42 + """Initialize certificate manager. 43 + 44 + Args: 45 + domain: Domain name for the certificate 46 + email: Email for Let's Encrypt account 47 + cert_dir: Directory to store certificates 48 + staging: Use Let's Encrypt staging server 49 + port: Port for HTTP-01 challenge server 50 + """ 51 + self.domain = domain 52 + self.email = email 53 + self.cert_dir = Path(cert_dir) 54 + self.cert_dir.mkdir(parents=True, exist_ok=True) 55 + self.staging = staging 56 + self.challenge_port = port 57 + 58 + self.directory_url = LETSENCRYPT_STAGING_URL if staging else LETSENCRYPT_DIRECTORY_URL 59 + self.account_key_path = self.cert_dir / "account_key.pem" 60 + self.cert_path = self.cert_dir / f"{domain}_cert.pem" 61 + self.key_path = self.cert_dir / f"{domain}_key.pem" 62 + self.fullchain_path = self.cert_dir / f"{domain}_fullchain.pem" 63 + 64 + # For HTTP-01 challenge 65 + self.challenge_tokens = {} 66 + self.challenge_server = None 67 + self.challenge_thread = None 68 + 69 + def _generate_private_key(self) -> rsa.RSAPrivateKey: 70 + """Generate a new RSA private key.""" 71 + return rsa.generate_private_key( 72 + public_exponent=65537, 73 + key_size=2048, 74 + backend=default_backend() 75 + ) 76 + 77 + def _get_or_create_account_key(self) -> jose.JWK: 78 + """Get existing account key or create a new one.""" 79 + if self.account_key_path.exists(): 80 + with open(self.account_key_path, 'rb') as f: 81 + key_data = f.read() 82 + private_key = serialization.load_pem_private_key( 83 + key_data, password=None, backend=default_backend() 84 + ) 85 + else: 86 + private_key = self._generate_private_key() 87 + key_pem = private_key.private_bytes( 88 + encoding=serialization.Encoding.PEM, 89 + format=serialization.PrivateFormat.TraditionalOpenSSL, 90 + encryption_algorithm=serialization.NoEncryption() 91 + ) 92 + with open(self.account_key_path, 'wb') as f: 93 + f.write(key_pem) 94 + logger.info("Created new account key", path=str(self.account_key_path)) 95 + 96 + return jose.JWK.load(private_key.private_bytes( 97 + encoding=serialization.Encoding.PEM, 98 + format=serialization.PrivateFormat.TraditionalOpenSSL, 99 + encryption_algorithm=serialization.NoEncryption() 100 + )) 101 + 102 + def _create_csr(self, private_key: rsa.RSAPrivateKey) -> bytes: 103 + """Create a Certificate Signing Request.""" 104 + csr = x509.CertificateSigningRequestBuilder().subject_name( 105 + x509.Name([ 106 + x509.NameAttribute(NameOID.COMMON_NAME, self.domain), 107 + ]) 108 + ).sign(private_key, hashes.SHA256(), backend=default_backend()) 109 + 110 + return csr.public_bytes(serialization.Encoding.DER) 111 + 112 + def _start_challenge_server(self): 113 + """Start HTTP server for ACME challenges.""" 114 + app = FastAPI() 115 + 116 + @app.get("/.well-known/acme-challenge/{token}") 117 + async def acme_challenge(token: str): 118 + """Serve ACME challenge responses.""" 119 + if token in self.challenge_tokens: 120 + logger.info("Serving ACME challenge", token=token) 121 + return PlainTextResponse(self.challenge_tokens[token]) 122 + logger.warning("Unknown ACME challenge token", token=token) 123 + return PlainTextResponse("Not found", status_code=404) 124 + 125 + def run_server(): 126 + """Run the challenge server in a thread.""" 127 + try: 128 + uvicorn.run( 129 + app, 130 + host="0.0.0.0", 131 + port=self.challenge_port, 132 + log_level="error" 133 + ) 134 + except Exception as e: 135 + logger.error("Challenge server error", error=str(e)) 136 + 137 + self.challenge_thread = threading.Thread(target=run_server, daemon=True) 138 + self.challenge_thread.start() 139 + 140 + # Give the server time to start 141 + time.sleep(2) 142 + logger.info("Started ACME challenge server", port=self.challenge_port) 143 + 144 + def _stop_challenge_server(self): 145 + """Stop the challenge server.""" 146 + if self.challenge_thread and self.challenge_thread.is_alive(): 147 + # The thread is daemon, so it will stop when the main process exits 148 + logger.info("Challenge server will stop with main process") 149 + 150 + def _perform_http01_challenge( 151 + self, 152 + acme_client: client.ClientV2, 153 + authz: messages.Authorization 154 + ) -> bool: 155 + """Perform HTTP-01 challenge.""" 156 + # Find HTTP-01 challenge 157 + http_challenge = None 158 + for challenge in authz.body.challenges: 159 + if isinstance(challenge.chall, challenges.HTTP01): 160 + http_challenge = challenge 161 + break 162 + 163 + if not http_challenge: 164 + logger.error("No HTTP-01 challenge found") 165 + return False 166 + 167 + # Prepare challenge response 168 + response, validation = http_challenge.chall.response_and_validation( 169 + acme_client.net.key 170 + ) 171 + 172 + # Store challenge token and response 173 + self.challenge_tokens[http_challenge.chall.token.decode('utf-8')] = validation 174 + 175 + logger.info( 176 + "Prepared HTTP-01 challenge", 177 + token=http_challenge.chall.token.decode('utf-8'), 178 + domain=self.domain 179 + ) 180 + 181 + # Notify ACME server that we're ready 182 + acme_client.answer_challenge(http_challenge, response) 183 + 184 + # Wait for challenge validation 185 + max_attempts = 30 186 + for attempt in range(max_attempts): 187 + time.sleep(2) 188 + try: 189 + authz, _ = acme_client.poll(authz) 190 + if authz.body.status == messages.STATUS_VALID: 191 + logger.info("Challenge validated successfully") 192 + return True 193 + elif authz.body.status == messages.STATUS_INVALID: 194 + logger.error("Challenge validation failed") 195 + return False 196 + except errors.TimeoutError: 197 + if attempt == max_attempts - 1: 198 + logger.error("Challenge validation timeout") 199 + return False 200 + continue 201 + 202 + return False 203 + 204 + def needs_renewal(self) -> bool: 205 + """Check if certificate needs renewal.""" 206 + if not self.cert_path.exists(): 207 + return True 208 + 209 + try: 210 + with open(self.cert_path, 'rb') as f: 211 + cert_data = f.read() 212 + cert = x509.load_pem_x509_certificate(cert_data, default_backend()) 213 + 214 + # Renew if less than 30 days remaining 215 + days_remaining = (cert.not_valid_after_utc - 216 + datetime.now(timezone.utc)).days 217 + 218 + if days_remaining < 30: 219 + logger.info("Certificate needs renewal", days_remaining=days_remaining) 220 + return True 221 + 222 + logger.info("Certificate still valid", days_remaining=days_remaining) 223 + return False 224 + 225 + except Exception as e: 226 + logger.error("Error checking certificate", error=str(e)) 227 + return True 228 + 229 + def obtain_certificate(self) -> Tuple[Path, Path, Path]: 230 + """Obtain or renew SSL certificate. 231 + 232 + Returns: 233 + Tuple of (cert_path, key_path, fullchain_path) 234 + """ 235 + if not self.needs_renewal(): 236 + logger.info("Certificate is still valid, skipping renewal") 237 + return self.cert_path, self.key_path, self.fullchain_path 238 + 239 + logger.info( 240 + "Obtaining SSL certificate", 241 + domain=self.domain, 242 + staging=self.staging 243 + ) 244 + 245 + try: 246 + # Start challenge server 247 + self._start_challenge_server() 248 + 249 + # Get or create account key 250 + account_key = self._get_or_create_account_key() 251 + 252 + # Create ACME client 253 + net = client.ClientNetwork(account_key) 254 + directory = messages.Directory.from_json( 255 + net.get(self.directory_url).json() 256 + ) 257 + acme_client = client.ClientV2(directory, net=net) 258 + 259 + # Register or get existing account 260 + try: 261 + account = acme_client.new_account( 262 + messages.NewRegistration.from_data( 263 + email=self.email, 264 + terms_of_service_agreed=True 265 + ) 266 + ) 267 + logger.info("Created new ACME account") 268 + except errors.ConflictError: 269 + # Account already exists 270 + account = acme_client.query_registration( 271 + messages.Registration(key=account_key.public_key()) 272 + ) 273 + logger.info("Using existing ACME account") 274 + 275 + # Generate certificate private key 276 + cert_key = self._generate_private_key() 277 + 278 + # Create CSR 279 + csr = self._create_csr(cert_key) 280 + 281 + # Request certificate 282 + order = acme_client.new_order(csr) 283 + 284 + # Complete challenges 285 + for authz in order.authorizations: 286 + if not self._perform_http01_challenge(acme_client, authz): 287 + raise Exception(f"Failed to complete challenge for {authz.body.identifier.value}") 288 + 289 + # Finalize order 290 + order = acme_client.poll_and_finalize(order) 291 + 292 + if order.fullchain_pem: 293 + # Save certificate and key 294 + with open(self.cert_path, 'w') as f: 295 + f.write(order.fullchain_pem.split('\n\n')[0] + '\n') 296 + 297 + with open(self.fullchain_path, 'w') as f: 298 + f.write(order.fullchain_pem) 299 + 300 + key_pem = cert_key.private_bytes( 301 + encoding=serialization.Encoding.PEM, 302 + format=serialization.PrivateFormat.TraditionalOpenSSL, 303 + encryption_algorithm=serialization.NoEncryption() 304 + ).decode('utf-8') 305 + 306 + with open(self.key_path, 'w') as f: 307 + f.write(key_pem) 308 + 309 + # Set proper permissions 310 + os.chmod(self.key_path, 0o600) 311 + os.chmod(self.cert_path, 0o644) 312 + os.chmod(self.fullchain_path, 0o644) 313 + 314 + logger.info( 315 + "Certificate obtained successfully", 316 + cert_path=str(self.cert_path), 317 + key_path=str(self.key_path), 318 + fullchain_path=str(self.fullchain_path) 319 + ) 320 + 321 + return self.cert_path, self.key_path, self.fullchain_path 322 + else: 323 + raise Exception("Failed to obtain certificate") 324 + 325 + except Exception as e: 326 + logger.error("Failed to obtain certificate", error=str(e)) 327 + raise 328 + finally: 329 + # Clean up challenge tokens and stop server 330 + self.challenge_tokens.clear() 331 + self._stop_challenge_server() 332 + 333 + def setup_auto_renewal(self, check_interval: int = 86400): 334 + """Setup automatic certificate renewal. 335 + 336 + Args: 337 + check_interval: Interval in seconds to check for renewal (default: 24 hours) 338 + """ 339 + def renewal_loop(): 340 + """Background renewal loop.""" 341 + while True: 342 + try: 343 + if self.needs_renewal(): 344 + logger.info("Certificate renewal needed") 345 + self.obtain_certificate() 346 + else: 347 + logger.debug("Certificate renewal not needed") 348 + except Exception as e: 349 + logger.error("Certificate renewal check failed", error=str(e)) 350 + 351 + time.sleep(check_interval) 352 + 353 + renewal_thread = threading.Thread(target=renewal_loop, daemon=True) 354 + renewal_thread.start() 355 + logger.info("Started automatic certificate renewal", interval_hours=check_interval/3600)
+14 -1
netdata_zulip_bot/config.py
··· 41 41 host=os.getenv("SERVER_HOST", "0.0.0.0"), 42 42 port=int(os.getenv("SERVER_PORT", "8443")), 43 43 domain=os.getenv("SERVER_DOMAIN", ""), 44 - cert_path=os.getenv("SERVER_CERT_PATH", "/etc/letsencrypt/live"), 44 + cert_path=os.getenv("SERVER_CERT_PATH", "./certs"), 45 45 enable_mtls=os.getenv("SERVER_ENABLE_MTLS", "true").lower() == "true", 46 + auto_cert=os.getenv("SERVER_AUTO_CERT", "false").lower() == "true", 47 + cert_email=os.getenv("SERVER_CERT_EMAIL", ""), 48 + cert_staging=os.getenv("SERVER_CERT_STAGING", "false").lower() == "true", 49 + acme_port=int(os.getenv("SERVER_ACME_PORT", "80")), 46 50 ) 47 51 48 52 # Validate required server settings ··· 52 56 "environment variable." 53 57 ) 54 58 59 + # Validate auto-cert specific settings 60 + if server_config.auto_cert and not server_config.cert_email: 61 + raise ValueError( 62 + "When SERVER_AUTO_CERT is enabled, SERVER_CERT_EMAIL must be set " 63 + "for Let's Encrypt account registration." 64 + ) 65 + 55 66 logger.info( 56 67 "Configuration loaded", 57 68 zulip_site=zulip_config.site, ··· 61 72 server_port=server_config.port, 62 73 server_domain=server_config.domain, 63 74 mtls_enabled=server_config.enable_mtls, 75 + auto_cert=server_config.auto_cert, 76 + cert_staging=server_config.cert_staging, 64 77 ) 65 78 66 79 return zulip_config, server_config
+13 -1
netdata_zulip_bot/main.py
··· 46 46 SERVER_HOST=0.0.0.0 47 47 SERVER_PORT=8443 48 48 SERVER_DOMAIN=your-domain.com 49 - SERVER_CERT_PATH=/etc/letsencrypt/live 50 49 SERVER_ENABLE_MTLS=true 50 + 51 + # Automated SSL Certificate Configuration (Recommended) 52 + SERVER_AUTO_CERT=true 53 + SERVER_CERT_EMAIL=admin@example.com 54 + SERVER_CERT_PATH=./certs 55 + # Use Let's Encrypt staging server for testing 56 + SERVER_CERT_STAGING=false 57 + # Port for ACME HTTP-01 challenge (must be accessible from internet) 58 + SERVER_ACME_PORT=80 59 + 60 + # Manual SSL Certificate Configuration (if not using auto-cert) 61 + # SERVER_AUTO_CERT=false 62 + # SERVER_CERT_PATH=/etc/letsencrypt/live 51 63 """ 52 64 53 65 with open(".env.sample", 'w') as f:
+5 -1
netdata_zulip_bot/models.py
··· 84 84 host: str = "0.0.0.0" 85 85 port: int = 8443 86 86 domain: str # Required for Let's Encrypt 87 - cert_path: str = "/etc/letsencrypt/live" 87 + cert_path: str = "./certs" # Directory for storing certificates 88 88 enable_mtls: bool = True 89 + auto_cert: bool = False # Enable automatic certificate management 90 + cert_email: str = "" # Email for Let's Encrypt account 91 + cert_staging: bool = False # Use Let's Encrypt staging server 92 + acme_port: int = 80 # Port for ACME HTTP-01 challenge 89 93 90 94 model_config = ConfigDict(env_prefix="SERVER_")
+46 -14
netdata_zulip_bot/server.py
··· 10 10 from fastapi import FastAPI, HTTPException, Request, status 11 11 from fastapi.responses import JSONResponse 12 12 13 + from .cert_manager import CertificateManager 13 14 from .formatter import ZulipMessageFormatter 14 15 from .models import WebhookPayload, ZulipConfig, ServerConfig 15 16 from .netdata_ca import NETDATA_CA_CERT ··· 31 32 self.zulip_config = zulip_config 32 33 self.server_config = server_config 33 34 self.formatter = ZulipMessageFormatter() 35 + self.cert_manager = None 36 + 37 + # Initialize certificate manager if auto-cert is enabled 38 + if self.server_config.auto_cert: 39 + self.cert_manager = CertificateManager( 40 + domain=self.server_config.domain, 41 + email=self.server_config.cert_email, 42 + cert_dir=Path(self.server_config.cert_path), 43 + staging=self.server_config.cert_staging, 44 + port=self.server_config.acme_port 45 + ) 34 46 35 47 # Initialize Zulip client 36 48 try: ··· 126 138 """Create SSL context for HTTPS and mutual TLS.""" 127 139 context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) 128 140 129 - # Load server certificate and key 130 - cert_path = Path(self.server_config.cert_path) / self.server_config.domain 131 - cert_file = cert_path / "fullchain.pem" 132 - key_file = cert_path / "privkey.pem" 133 - 134 - if not cert_file.exists() or not key_file.exists(): 135 - logger.error( 136 - "SSL certificate files not found", 137 - cert_file=str(cert_file), 138 - key_file=str(key_file) 139 - ) 140 - raise FileNotFoundError(f"SSL certificate files not found at {cert_path}") 141 + # Get certificate paths 142 + if self.cert_manager and self.server_config.auto_cert: 143 + # Use automated certificates 144 + try: 145 + cert_file, key_file, fullchain_file = self.cert_manager.obtain_certificate() 146 + logger.info( 147 + "Using automated SSL certificate", 148 + cert_file=str(cert_file), 149 + key_file=str(key_file) 150 + ) 151 + except Exception as e: 152 + logger.error("Failed to obtain automated certificate", error=str(e)) 153 + raise 154 + else: 155 + # Use manually provided certificates 156 + cert_path = Path(self.server_config.cert_path) / self.server_config.domain 157 + fullchain_file = cert_path / "fullchain.pem" 158 + key_file = cert_path / "privkey.pem" 159 + 160 + if not fullchain_file.exists() or not key_file.exists(): 161 + logger.error( 162 + "SSL certificate files not found", 163 + cert_file=str(fullchain_file), 164 + key_file=str(key_file) 165 + ) 166 + raise FileNotFoundError(f"SSL certificate files not found at {cert_path}") 141 167 142 - context.load_cert_chain(str(cert_file), str(key_file)) 168 + context.load_cert_chain(str(fullchain_file), str(key_file)) 143 169 144 170 # Configure mutual TLS if enabled 145 171 if self.server_config.enable_mtls: ··· 164 190 def run(self): 165 191 """Run the webhook server with HTTPS and optional mutual TLS.""" 166 192 try: 193 + # Setup automatic certificate renewal if enabled 194 + if self.cert_manager and self.server_config.auto_cert: 195 + self.cert_manager.setup_auto_renewal() 196 + logger.info("Automatic certificate renewal enabled") 197 + 167 198 ssl_context = self.get_ssl_context() 168 199 169 200 logger.info( ··· 171 202 host=self.server_config.host, 172 203 port=self.server_config.port, 173 204 domain=self.server_config.domain, 174 - mtls_enabled=self.server_config.enable_mtls 205 + mtls_enabled=self.server_config.enable_mtls, 206 + auto_cert=self.server_config.auto_cert 175 207 ) 176 208 177 209 uvicorn.run(
+2 -1
pyproject.toml
··· 13 13 "zulip>=0.9.0", 14 14 "pydantic>=2.5.0", 15 15 "python-multipart>=0.0.6", 16 - "certbot>=2.8.0", 16 + "acme>=2.8.0", 17 + "josepy>=1.14.0", 17 18 "cryptography>=41.0.0", 18 19 "python-dotenv>=1.0.0", 19 20 "structlog>=23.2.0",
+129
tests/test_cert_manager.py
··· 1 + """Tests for the certificate manager module.""" 2 + 3 + import tempfile 4 + from pathlib import Path 5 + from unittest.mock import Mock, patch, MagicMock 6 + 7 + import pytest 8 + 9 + from netdata_zulip_bot.cert_manager import CertificateManager 10 + 11 + 12 + class TestCertificateManager: 13 + """Test certificate manager functionality.""" 14 + 15 + @pytest.fixture 16 + def temp_cert_dir(self): 17 + """Create a temporary directory for certificates.""" 18 + with tempfile.TemporaryDirectory() as tmpdir: 19 + yield Path(tmpdir) 20 + 21 + @pytest.fixture 22 + def cert_manager(self, temp_cert_dir): 23 + """Create a certificate manager instance.""" 24 + return CertificateManager( 25 + domain="test.example.com", 26 + email="test@example.com", 27 + cert_dir=temp_cert_dir, 28 + staging=True, # Always use staging for tests 29 + port=8080 30 + ) 31 + 32 + def test_initialization(self, cert_manager, temp_cert_dir): 33 + """Test certificate manager initialization.""" 34 + assert cert_manager.domain == "test.example.com" 35 + assert cert_manager.email == "test@example.com" 36 + assert cert_manager.cert_dir == temp_cert_dir 37 + assert cert_manager.staging is True 38 + assert cert_manager.challenge_port == 8080 39 + 40 + # Check that paths are created correctly 41 + assert cert_manager.account_key_path == temp_cert_dir / "account_key.pem" 42 + assert cert_manager.cert_path == temp_cert_dir / "test.example.com_cert.pem" 43 + assert cert_manager.key_path == temp_cert_dir / "test.example.com_key.pem" 44 + assert cert_manager.fullchain_path == temp_cert_dir / "test.example.com_fullchain.pem" 45 + 46 + def test_cert_dir_creation(self, temp_cert_dir): 47 + """Test that certificate directory is created if it doesn't exist.""" 48 + new_dir = temp_cert_dir / "nested" / "certs" 49 + cert_manager = CertificateManager( 50 + domain="test.example.com", 51 + email="test@example.com", 52 + cert_dir=new_dir, 53 + staging=True 54 + ) 55 + assert new_dir.exists() 56 + assert new_dir.is_dir() 57 + 58 + @patch('netdata_zulip_bot.cert_manager.x509') 59 + def test_needs_renewal_no_cert(self, mock_x509, cert_manager): 60 + """Test that renewal is needed when certificate doesn't exist.""" 61 + assert cert_manager.needs_renewal() is True 62 + 63 + @patch('netdata_zulip_bot.cert_manager.datetime') 64 + @patch('netdata_zulip_bot.cert_manager.x509') 65 + def test_needs_renewal_expired(self, mock_x509, mock_datetime, cert_manager): 66 + """Test that renewal is needed when certificate is expiring soon.""" 67 + from datetime import datetime, timezone, timedelta 68 + 69 + # Create a mock certificate file 70 + cert_manager.cert_path.touch() 71 + 72 + # Mock certificate with 20 days remaining 73 + mock_cert = Mock() 74 + now = datetime(2024, 1, 1, tzinfo=timezone.utc) 75 + mock_cert.not_valid_after_utc = now + timedelta(days=20) 76 + mock_x509.load_pem_x509_certificate.return_value = mock_cert 77 + mock_datetime.now.return_value = now 78 + 79 + assert cert_manager.needs_renewal() is True 80 + 81 + @patch('netdata_zulip_bot.cert_manager.datetime') 82 + @patch('netdata_zulip_bot.cert_manager.x509') 83 + def test_needs_renewal_valid(self, mock_x509, mock_datetime, cert_manager): 84 + """Test that renewal is not needed when certificate is still valid.""" 85 + from datetime import datetime, timezone, timedelta 86 + 87 + # Create a mock certificate file 88 + cert_manager.cert_path.touch() 89 + 90 + # Mock certificate with 60 days remaining 91 + mock_cert = Mock() 92 + now = datetime(2024, 1, 1, tzinfo=timezone.utc) 93 + mock_cert.not_valid_after_utc = now + timedelta(days=60) 94 + mock_x509.load_pem_x509_certificate.return_value = mock_cert 95 + mock_datetime.now.return_value = now 96 + 97 + assert cert_manager.needs_renewal() is False 98 + 99 + def test_generate_private_key(self, cert_manager): 100 + """Test private key generation.""" 101 + key = cert_manager._generate_private_key() 102 + assert key is not None 103 + assert key.key_size == 2048 104 + 105 + @patch('netdata_zulip_bot.cert_manager.threading.Thread') 106 + def test_challenge_server_start(self, mock_thread, cert_manager): 107 + """Test that challenge server starts correctly.""" 108 + cert_manager._start_challenge_server() 109 + 110 + # Verify thread was created and started 111 + mock_thread.assert_called_once() 112 + mock_thread.return_value.start.assert_called_once() 113 + 114 + def test_challenge_tokens_storage(self, cert_manager): 115 + """Test that challenge tokens are stored correctly.""" 116 + cert_manager.challenge_tokens["test_token"] = "test_response" 117 + assert cert_manager.challenge_tokens["test_token"] == "test_response" 118 + 119 + @patch('netdata_zulip_bot.cert_manager.client.ClientV2') 120 + @patch('netdata_zulip_bot.cert_manager.client.ClientNetwork') 121 + def test_obtain_certificate_mock(self, mock_network, mock_client, cert_manager): 122 + """Test certificate obtaining with mocked ACME client.""" 123 + # This is a simplified test that mocks the ACME interaction 124 + # In production, this would interact with Let's Encrypt staging server 125 + 126 + # Mock that certificate doesn't need renewal 127 + with patch.object(cert_manager, 'needs_renewal', return_value=False): 128 + paths = cert_manager.obtain_certificate() 129 + assert paths == (cert_manager.cert_path, cert_manager.key_path, cert_manager.fullchain_path)
+4 -68
uv.lock
··· 70 70 ] 71 71 72 72 [[package]] 73 - name = "certbot" 74 - version = "4.2.0" 75 - source = { registry = "https://pypi.org/simple" } 76 - dependencies = [ 77 - { name = "acme" }, 78 - { name = "configargparse" }, 79 - { name = "configobj" }, 80 - { name = "cryptography" }, 81 - { name = "distro" }, 82 - { name = "josepy" }, 83 - { name = "parsedatetime" }, 84 - { name = "pyrfc3339" }, 85 - { name = "pywin32", marker = "sys_platform == 'win32'" }, 86 - ] 87 - sdist = { url = "https://files.pythonhosted.org/packages/f2/e3/199262bf00c9bd5dfccfe0a64c26c2fb132b92511bee416c3408a54b4cf1/certbot-4.2.0.tar.gz", hash = "sha256:fb1e56ca8a072bec49ac0c7b5390a29cbf68c2c05f712259a9b3491de041c27b", size = 442984, upload-time = "2025-08-05T19:19:22.495Z" } 88 - wheels = [ 89 - { url = "https://files.pythonhosted.org/packages/fa/e4/5176fcd1195ffd358bb1129baa0f411da7eede3d47eb39e05062b5f22105/certbot-4.2.0-py3-none-any.whl", hash = "sha256:8fcca0c1a06df9ce39e89b7d13c70506e1372823e8b5993633d21adb77581950", size = 409215, upload-time = "2025-08-05T19:19:06.803Z" }, 90 - ] 91 - 92 - [[package]] 93 73 name = "certifi" 94 74 version = "2025.8.3" 95 75 source = { registry = "https://pypi.org/simple" } ··· 218 198 ] 219 199 220 200 [[package]] 221 - name = "configargparse" 222 - version = "1.7.1" 223 - source = { registry = "https://pypi.org/simple" } 224 - sdist = { url = "https://files.pythonhosted.org/packages/85/4d/6c9ef746dfcc2a32e26f3860bb4a011c008c392b83eabdfb598d1a8bbe5d/configargparse-1.7.1.tar.gz", hash = "sha256:79c2ddae836a1e5914b71d58e4b9adbd9f7779d4e6351a637b7d2d9b6c46d3d9", size = 43958, upload-time = "2025-05-23T14:26:17.369Z" } 225 - wheels = [ 226 - { url = "https://files.pythonhosted.org/packages/31/28/d28211d29bcc3620b1fece85a65ce5bb22f18670a03cd28ea4b75ede270c/configargparse-1.7.1-py3-none-any.whl", hash = "sha256:8b586a31f9d873abd1ca527ffbe58863c99f36d896e2829779803125e83be4b6", size = 25607, upload-time = "2025-05-23T14:26:15.923Z" }, 227 - ] 228 - 229 - [[package]] 230 - name = "configobj" 231 - version = "5.0.9" 232 - source = { registry = "https://pypi.org/simple" } 233 - sdist = { url = "https://files.pythonhosted.org/packages/f5/c4/c7f9e41bc2e5f8eeae4a08a01c91b2aea3dfab40a3e14b25e87e7db8d501/configobj-5.0.9.tar.gz", hash = "sha256:03c881bbf23aa07bccf1b837005975993c4ab4427ba57f959afdd9d1a2386848", size = 101518, upload-time = "2024-09-21T12:47:46.315Z" } 234 - wheels = [ 235 - { url = "https://files.pythonhosted.org/packages/a6/c4/0679472c60052c27efa612b4cd3ddd2a23e885dcdc73461781d2c802d39e/configobj-5.0.9-py2.py3-none-any.whl", hash = "sha256:1ba10c5b6ee16229c79a05047aeda2b55eb4e80d7c7d8ecf17ec1ca600c79882", size = 35615, upload-time = "2024-11-26T14:03:32.972Z" }, 236 - ] 237 - 238 - [[package]] 239 201 name = "cryptography" 240 202 version = "45.0.6" 241 203 source = { registry = "https://pypi.org/simple" } ··· 409 371 version = "0.1.0" 410 372 source = { editable = "." } 411 373 dependencies = [ 412 - { name = "certbot" }, 374 + { name = "acme" }, 413 375 { name = "cryptography" }, 414 376 { name = "fastapi" }, 377 + { name = "josepy" }, 415 378 { name = "pydantic" }, 416 379 { name = "python-dotenv" }, 417 380 { name = "python-multipart" }, ··· 438 401 439 402 [package.metadata] 440 403 requires-dist = [ 404 + { name = "acme", specifier = ">=2.8.0" }, 441 405 { name = "black", marker = "extra == 'dev'", specifier = ">=23.0.0" }, 442 - { name = "certbot", specifier = ">=2.8.0" }, 443 406 { name = "cryptography", specifier = ">=41.0.0" }, 444 407 { name = "fastapi", specifier = ">=0.104.0" }, 445 408 { name = "httpx", marker = "extra == 'dev'", specifier = ">=0.25.0" }, 409 + { name = "josepy", specifier = ">=1.14.0" }, 446 410 { name = "pydantic", specifier = ">=2.5.0" }, 447 411 { name = "pytest", marker = "extra == 'dev'", specifier = ">=7.4.0" }, 448 412 { name = "pytest-asyncio", marker = "extra == 'dev'", specifier = ">=0.21.0" }, ··· 472 436 ] 473 437 474 438 [[package]] 475 - name = "parsedatetime" 476 - version = "2.6" 477 - source = { registry = "https://pypi.org/simple" } 478 - sdist = { url = "https://files.pythonhosted.org/packages/a8/20/cb587f6672dbe585d101f590c3871d16e7aec5a576a1694997a3777312ac/parsedatetime-2.6.tar.gz", hash = "sha256:4cb368fbb18a0b7231f4d76119165451c8d2e35951455dfee97c62a87b04d455", size = 60114, upload-time = "2020-05-31T23:50:57.443Z" } 479 - wheels = [ 480 - { url = "https://files.pythonhosted.org/packages/9d/a4/3dd804926a42537bf69fb3ebb9fd72a50ba84f807d95df5ae016606c976c/parsedatetime-2.6-py3-none-any.whl", hash = "sha256:cb96edd7016872f58479e35879294258c71437195760746faffedb692aef000b", size = 42548, upload-time = "2020-05-31T23:50:56.315Z" }, 481 - ] 482 - 483 - [[package]] 484 439 name = "pathspec" 485 440 version = "0.12.1" 486 441 source = { registry = "https://pypi.org/simple" } ··· 671 626 sdist = { url = "https://files.pythonhosted.org/packages/f3/87/f44d7c9f274c7ee665a29b885ec97089ec5dc034c7f3fafa03da9e39a09e/python_multipart-0.0.20.tar.gz", hash = "sha256:8dd0cab45b8e23064ae09147625994d090fa46f5b0d1e13af944c331a7fa9d13", size = 37158, upload-time = "2024-12-16T19:45:46.972Z" } 672 627 wheels = [ 673 628 { url = "https://files.pythonhosted.org/packages/45/58/38b5afbc1a800eeea951b9285d3912613f2603bdf897a4ab0f4bd7f405fc/python_multipart-0.0.20-py3-none-any.whl", hash = "sha256:8a62d3a8335e06589fe01f2a3e178cdcc632f3fbe0d492ad9ee0ec35aab1f104", size = 24546, upload-time = "2024-12-16T19:45:44.423Z" }, 674 - ] 675 - 676 - [[package]] 677 - name = "pywin32" 678 - version = "311" 679 - source = { registry = "https://pypi.org/simple" } 680 - wheels = [ 681 - { url = "https://files.pythonhosted.org/packages/7c/af/449a6a91e5d6db51420875c54f6aff7c97a86a3b13a0b4f1a5c13b988de3/pywin32-311-cp311-cp311-win32.whl", hash = "sha256:184eb5e436dea364dcd3d2316d577d625c0351bf237c4e9a5fabbcfa5a58b151", size = 8697031, upload-time = "2025-07-14T20:13:13.266Z" }, 682 - { url = "https://files.pythonhosted.org/packages/51/8f/9bb81dd5bb77d22243d33c8397f09377056d5c687aa6d4042bea7fbf8364/pywin32-311-cp311-cp311-win_amd64.whl", hash = "sha256:3ce80b34b22b17ccbd937a6e78e7225d80c52f5ab9940fe0506a1a16f3dab503", size = 9508308, upload-time = "2025-07-14T20:13:15.147Z" }, 683 - { url = "https://files.pythonhosted.org/packages/44/7b/9c2ab54f74a138c491aba1b1cd0795ba61f144c711daea84a88b63dc0f6c/pywin32-311-cp311-cp311-win_arm64.whl", hash = "sha256:a733f1388e1a842abb67ffa8e7aad0e70ac519e09b0f6a784e65a136ec7cefd2", size = 8703930, upload-time = "2025-07-14T20:13:16.945Z" }, 684 - { url = "https://files.pythonhosted.org/packages/e7/ab/01ea1943d4eba0f850c3c61e78e8dd59757ff815ff3ccd0a84de5f541f42/pywin32-311-cp312-cp312-win32.whl", hash = "sha256:750ec6e621af2b948540032557b10a2d43b0cee2ae9758c54154d711cc852d31", size = 8706543, upload-time = "2025-07-14T20:13:20.765Z" }, 685 - { url = "https://files.pythonhosted.org/packages/d1/a8/a0e8d07d4d051ec7502cd58b291ec98dcc0c3fff027caad0470b72cfcc2f/pywin32-311-cp312-cp312-win_amd64.whl", hash = "sha256:b8c095edad5c211ff31c05223658e71bf7116daa0ecf3ad85f3201ea3190d067", size = 9495040, upload-time = "2025-07-14T20:13:22.543Z" }, 686 - { url = "https://files.pythonhosted.org/packages/ba/3a/2ae996277b4b50f17d61f0603efd8253cb2d79cc7ae159468007b586396d/pywin32-311-cp312-cp312-win_arm64.whl", hash = "sha256:e286f46a9a39c4a18b319c28f59b61de793654af2f395c102b4f819e584b5852", size = 8710102, upload-time = "2025-07-14T20:13:24.682Z" }, 687 - { url = "https://files.pythonhosted.org/packages/a5/be/3fd5de0979fcb3994bfee0d65ed8ca9506a8a1260651b86174f6a86f52b3/pywin32-311-cp313-cp313-win32.whl", hash = "sha256:f95ba5a847cba10dd8c4d8fefa9f2a6cf283b8b88ed6178fa8a6c1ab16054d0d", size = 8705700, upload-time = "2025-07-14T20:13:26.471Z" }, 688 - { url = "https://files.pythonhosted.org/packages/e3/28/e0a1909523c6890208295a29e05c2adb2126364e289826c0a8bc7297bd5c/pywin32-311-cp313-cp313-win_amd64.whl", hash = "sha256:718a38f7e5b058e76aee1c56ddd06908116d35147e133427e59a3983f703a20d", size = 9494700, upload-time = "2025-07-14T20:13:28.243Z" }, 689 - { url = "https://files.pythonhosted.org/packages/04/bf/90339ac0f55726dce7d794e6d79a18a91265bdf3aa70b6b9ca52f35e022a/pywin32-311-cp313-cp313-win_arm64.whl", hash = "sha256:7b4075d959648406202d92a2310cb990fea19b535c7f4a78d3f5e10b926eeb8a", size = 8709318, upload-time = "2025-07-14T20:13:30.348Z" }, 690 - { url = "https://files.pythonhosted.org/packages/c9/31/097f2e132c4f16d99a22bfb777e0fd88bd8e1c634304e102f313af69ace5/pywin32-311-cp314-cp314-win32.whl", hash = "sha256:b7a2c10b93f8986666d0c803ee19b5990885872a7de910fc460f9b0c2fbf92ee", size = 8840714, upload-time = "2025-07-14T20:13:32.449Z" }, 691 - { url = "https://files.pythonhosted.org/packages/90/4b/07c77d8ba0e01349358082713400435347df8426208171ce297da32c313d/pywin32-311-cp314-cp314-win_amd64.whl", hash = "sha256:3aca44c046bd2ed8c90de9cb8427f581c479e594e99b5c0bb19b29c10fd6cb87", size = 9656800, upload-time = "2025-07-14T20:13:34.312Z" }, 692 - { url = "https://files.pythonhosted.org/packages/c0/d2/21af5c535501a7233e734b8af901574572da66fcc254cb35d0609c9080dd/pywin32-311-cp314-cp314-win_arm64.whl", hash = "sha256:a508e2d9025764a8270f93111a970e1d0fbfc33f4153b388bb649b7eec4f9b42", size = 8932540, upload-time = "2025-07-14T20:13:36.379Z" }, 693 629 ] 694 630 695 631 [[package]]